OpenLDAP Directory Administration
LDAP Interoperability
Table of Contents● Introduction
● Interoperability or Integration
● Directory Gateways
● Cross-Platform Authentication Services
● Distributed, Multivendor Directories
● Metadirectories
● Push/Pull Agents for Directory Synchronization
Table of Contents● Introduction
● Interoperability or Integration
● Directory Gateways
● Cross-Platform Authentication Services
● Distributed, Multi-vendor Directories
● Metadirectories
● Push/Pull Agents for Directory Synchronization
Introduction● Why this chapter on interoperability when LDAP is
supposed to be a standard protocol
● Selling point of LDAP is its potential for consolidating vendor-specific application-specific directories
● LDAP “minimizes” interoperability problems
● Core features of LDAP are standardized, but things such as schemas are not: many common objects can be extended by vendors
● Protocol can be extended as well
● For each service that can be consolidated into an LDAP directory, there must be a corresponding client-side application to access the old information in the new directory
● This chapter: discuss technologies used to solve these problems
Table of Contents● Introduction
● Interoperability or Integration
● Directory Gateways
● Cross-Platform Authentication Services
● Distributed, Multi-vendor Directories
● Metadirectories
● Push/Pull Agents for Directory Synchronization
Interoperability or Integration ?● Directory integration means enabling client applications
to access data in an LDAP directory
● Interoperability addresses communication between LDAP servers themselves
● Blurry distinction when one LDAP server becomes the client of another LDAP server
● First question should always be: what level of integration or interoperability your application requires
● Some common approaches are listed on the next page
Interoperability or Integration ? (cont.)
Problem Possible Solution Example“What can I do if my application doesn't speak LDAP ?”
Gateways that translate one directory access protocol into another
The NIS/LDAP gateway presented in Chapter 6
“How can users in a non-Unix administrative domain access services on Unix hosts ?”
Cross-platform authentication services
Authenticating non-Microsoft clients against an Active Directory
“How can I join information contained in different directories ?”
Distributed, multi-vendor directories glued together by referrals and references
Connecting directories from different vendors into a single DIT
“How can I unify access to the databases and directories held by multiple departments in my organization ?”
Meta-directories that provide an integrated view of several disjointed directories and databases
Using an LDAP proxy server to translate entries from a second directory into the format needed by client applications
“How can I implement replication or synchronization between directories from different vendors ?”
Push/pull agents that synchronize information from one directory to another
Customizing scripts or in-house tools that suck data from one server and uploading it to another directory after translating it into a format understood by the second server
Table of Contents● Introduction
● Interoperability or Integration
● Directory Gateways
● Cross-Platform Authentication Services
● Distributed, Multi-vendor Directories
● Metadirectories
● Push/Pull Agents for Directory Synchronization
Directory Gateways● Gateways have existed for a very long time, eg. between
different email formats, network filesystems, etc.
● Examples:
– PADL's ypldapd daemon: in one way, this is actually an LDAP client from the LDAP server's point of view
– NIS/LDAP gateway shipped with Microsoft “Windows Services for Unix (SFU)”
● Provides tools for importing data from a NIS domain into Active Directory
● Main advantage of using a gateway
– You usually don't have to modify any clients
– This results in lower cost of administration
● Disadvantages
– Additional overhead, clients don't take advantage of LDAP
Table of Contents● Introduction
● Interoperability or Integration
● Directory Gateways
● Cross-Platform Authentication Services
● Distributed, Multi-vendor Directories
● Metadirectories
● Push/Pull Agents for Directory Synchronization
Cross-Platform Authentication Services
● Not: interoperability between directory services
● But: interoperability between a specific directory service and non-native clients
● eg.
– NIS/Active Directory Gateway included in Microsoft's “Services for UNIX”
– PADL's PAM and NSS LDAP modules
– Active Directory + Kerberos 5
Table of Contents● Introduction
● Interoperability or Integration
● Directory Gateways
● Cross-Platform Authentication Services
● Distributed, Multi-vendor Directories
● Metadirectories
● Push/Pull Agents for Directory Synchronization
Distributed, Multi-vendor Directories
● LDAP servers from various vendors can be linked into a single, logical, distributed directory
● Why a multi-vendor directory ?
– Singe-vendor directory may force you to take decisions that you are uncomfortable with
– eg. Say a product (calendar server) has only been tested with a particular LDAP server, possible solutions:
● Abandon calendar server● Replace existing directory● Install LDAP server that supports calendar application and
include it as a subtree of your existing directory framework
– Last option is the only option that makes sense
● How is this any different than the myriad of application-specific directories in the past ?
– Here: single access protocol for clients & admin tools
Distributed, Multi-vendor Directories (cont.)
Example: Connecting OpenLDAP to Active Directory
– Working OpenLDAP, naming context dc=plainjoe,dc=org
– Active Directory, DNS domain ad.plainjoe.org, naming context is dc=ad,dc=plainjoe,dc=org
referral to ldap://ldap.plainjoe.org/dc=ad,dc=plainjoe,dc=org
reference to ldap://ldap.plainjoe.org/dc=plainjoe,dc=org
OpenLDAPdc=plainjoe,dc=org
Windows Active Directorydc=ad,dc=plainjoe,dc=org
Distributed, Multi-vendor Directories (cont.)
Example: Connecting OpenLDAP to Active Directory (cont.)
– We need to add two knowledge references to this system:● Point from Active Directory Service to OpenLDAP server● Refer client searches from the OpenLDAP server to the active
directory domain
– ADSI Edit MMC snap-in required● \support\tools on Windows CD
Distributed, Multi-vendor Directories (cont.)
Example: Connecting OpenLDAP to Active Directory (cont.)
Create referral from AD to OpenLDAP:● Must be created inside the
cn=Partitions,cn=Configuration,dc=ad,dc=plainjoe,dc=org container
● Create a new crossRef object● Add a node named OpenLDAP with nCName attribute with
value dc=plainjoe,dc=org, and dnsRoot attribute with the value ldap.plainjoe.org
● The corresponding LDIF:
● This instructs the Active Directory server to return a referral of the form ldap://ldap.plainjoe.org/dc=plainjoe,dc=org to clients in response to an LDAP search
dn: cn=OpenLDAP,cn=Partitions,dc=Configuration,dc=ad,dc=plainjoe,dc=orgcn: OpenLDAPnCName: dc=plainjoe,dc=orgdnsRoot: ldap.plainjoe.org
dn: cn=OpenLDAP,cn=Partitions,dc=Configuration,dc=ad,dc=plainjoe,dc=orgcn: OpenLDAPnCName: dc=plainjoe,dc=orgdnsRoot: ldap.plainjoe.org
Distributed, Multi-vendor Directories (cont.)
Example: Connecting OpenLDAP to Active Directory (cont.)
Add corresponding knowledge reference OpenLDAP:● LDIF of object to add to OpenLDAP:
● ldapadd syntax:
dn: dc=ad,dc=plainjoe,dc=orgobjectclass: referralobjectclass: dcObjectref: ldap://ad.plainjoe.org/dc=ad,dc=plainjoe,dc=orgdc: ad
dn: dc=ad,dc=plainjoe,dc=orgobjectclass: referralobjectclass: dcObjectref: ldap://ad.plainjoe.org/dc=ad,dc=plainjoe,dc=orgdc: ad
$ ldapadd -D “cn=Manager,dc=plainjoe,dc=org” -w secret -x \> -H ldap://ldap.plainjoe.org/ -f ad-referral.ldif$ ldapadd -D “cn=Manager,dc=plainjoe,dc=org” -w secret -x \> -H ldap://ldap.plainjoe.org/ -f ad-referral.ldif
Distributed, Multi-vendor Directories (cont.)
Example: Connecting OpenLDAP to Active Directory (cont.)
Testing Lookups:
● This search did not follow the referral, so no results are displayed
$ ldapsearch -H ldap://ad.plainjoe.org/ -x \> -b “ou=people,dc=plainjoe,dc=org” -LLL “(uid=jerry)”
Referral (10)Additional information: 00002028: RefErr: DSID-031005EE,data 0,1 access points ref 1: 'ldap.plainjoe.org'
Referral: ldap://ldap.plainjoe.org/ou=people,dc=plainjoe,dc=org
$ ldapsearch -H ldap://ad.plainjoe.org/ -x \> -b “ou=people,dc=plainjoe,dc=org” -LLL “(uid=jerry)”
Referral (10)Additional information: 00002028: RefErr: DSID-031005EE,data 0,1 access points ref 1: 'ldap.plainjoe.org'
Referral: ldap://ldap.plainjoe.org/ou=people,dc=plainjoe,dc=org
Distributed, Multi-vendor Directories (cont.)
Example: Connecting OpenLDAP to Active Directory (cont.)
Testing Lookups (cont.):● This search follows the referral (-C switch):
$ ldapsearch -h ad.plainjoe.org/ -x -C \> -b “ou=people,dc=plainjoe,dc=org” -LLL “(uid=jerry)”
dn: cn=Gerald Carter,ou=people,dc=plainjoe,dc=orgobjectClass: posixAccountobjectClass: accountobjectClass: sambaAccountcn: Gerald CarteruidNumber: 780uid: jerrygidNumber: 100homeDirectory: /home/queso/jerryloginShell: /bin/bashrid: 2560acctFlags: [UX ]pwdLastSet: 1018451245
$ ldapsearch -h ad.plainjoe.org/ -x -C \> -b “ou=people,dc=plainjoe,dc=org” -LLL “(uid=jerry)”
dn: cn=Gerald Carter,ou=people,dc=plainjoe,dc=orgobjectClass: posixAccountobjectClass: accountobjectClass: sambaAccountcn: Gerald CarteruidNumber: 780uid: jerrygidNumber: 100homeDirectory: /home/queso/jerryloginShell: /bin/bashrid: 2560acctFlags: [UX ]pwdLastSet: 1018451245
Distributed, Multi-vendor Directories (cont.)
Example: Connecting OpenLDAP to Active Directory (cont.)
Testing Lookups (cont.):● The other way round: search to OpenLDAP for data stored in
Active Directory● By default, Active Directory does not support anonymous
searches (apart from its rootDSE), hence we only get a referral (test with & without -C option):
● See more info: Single sign-on, Kerberos: Cross-platform authentication services
$ ldapsearch -x -H ldap://ldap.plainjoe.org/ \> -b “dc=ad,dc=plainjoe,dc=org” -LLL -C “(sAMAccountName=kristi)”
# refldap://ad.plainjoe.org/CN=Configuration,DC=ad,DC=plainjoe,DC=org
$ ldapsearch -x -H ldap://ldap.plainjoe.org/ \> -b “dc=ad,dc=plainjoe,dc=org” -LLL -C “(sAMAccountName=kristi)”
# refldap://ad.plainjoe.org/CN=Configuration,DC=ad,DC=plainjoe,DC=org
$ ldapsearch -x -H ldap://ldap.plainjoe.org/ \> -b “dc=ad,dc=plainjoe,dc=org” -LLL “(sAMAccountName=kristi)”
Referral (10)Matched DN: dc=ad,dc=plainjoe,dc=orgReferral: ldap://ad.plainjoe.org/dc=ad,dc=plainjoe,dc=org??sub
$ ldapsearch -x -H ldap://ldap.plainjoe.org/ \> -b “dc=ad,dc=plainjoe,dc=org” -LLL “(sAMAccountName=kristi)”
Referral (10)Matched DN: dc=ad,dc=plainjoe,dc=orgReferral: ldap://ad.plainjoe.org/dc=ad,dc=plainjoe,dc=org??sub
Table of Contents● Introduction
● Interoperability or Integration
● Directory Gateways
● Cross-Platform Authentication Services
● Distributed, Multi-vendor Directories
● Metadirectories
● Push/Pull Agents for Directory Synchronization
Metadirectories● Term describes any solution that joins distinct, isolated
data sources into a single logical volume
● Popular products on the market:
– MaXware MetaCenter (http://www.maxware.com/)
– Siemens DirXmetahub (http://www.siemens.ie/fixedoperators/CarrierNetworks/Meta/dirxmetahub.htm)
– Sun Microsystems SunONE MetaDirectory (http://wwws.sun.com/software/products/meta_directory/home_meta_dir.html)
– Novell's eDirectory and DirXML combination (http://www.novell.com/products/edirectory/)
– Microsoft Metadirectory Services (http://www.microsoft.com/windows2000/technologies/directory/MMS)
● A metadirectory is any directory service that presents an alternative view of a data source
Metadirectories (cont.)OpenLDAP's Proxy Backend
– Translates server's schema into a different view, suitable for a particular application
– No replication or synchronization of data
– Eg. client expects a directory to provide an email address using the mail attribute, assume an Active Directory where the Kerberos principal name is username@domain (userPrincipalName). It makes no sense to duplicate this information
– Requirements:● Active Directory domain must be configured for the DNS
domain ad.plainjoe.org● DNS name ad.plainjoe.org must resolve to the IP address of
an Active Directory domain controller for that domain● An account named ldap-proxy must be created in AD for use
by the proxy server when binding to a Windows DC
Metadirectories (cont.)OpenLDAP's Proxy Backend (cont.)
– Supports updating the target via the proxy, supports ACLs
– This option is not enabled by default
– Recompile and create a new database in slapd.conf
$ ./configure --enable-ldap --enable-rewrite$ ./configure --enable-ldap --enable-rewrite
database ldap
suffix ou=windows,dc=plainjoe,dc=org
uri ldap://ad.plainjoe.orgsuffixmassage ou=windows,dc=plainjoe,dc=org
cn=users,dc=ad,dc=plainjoe,dc=org
binddn cn=ldap-proxy,cn=users,dc=ad,dc=plainjoe,dc=orgbindpw proxy-secret
map attribute uid sAMAccountNamemap attribute cn namemap attribute mail userPrincipalNamemap objectclass account user
map attribute *
database ldap
suffix ou=windows,dc=plainjoe,dc=org
uri ldap://ad.plainjoe.orgsuffixmassage ou=windows,dc=plainjoe,dc=org
cn=users,dc=ad,dc=plainjoe,dc=org
binddn cn=ldap-proxy,cn=users,dc=ad,dc=plainjoe,dc=orgbindpw proxy-secret
map attribute uid sAMAccountNamemap attribute cn namemap attribute mail userPrincipalNamemap objectclass account user
map attribute *
Metadirectories (cont.)OpenLDAP's Proxy Backend (cont.)
– See the result: query Active Directory, items provided by proxy are in italic
$ ldapsearch -H ldap://ad.plainjoe.org -x \> -D [email protected] -w proxy-secret -X \> -b “cn=users,dc=ad,dc=plainjoe,dc=org” -LLL \> “(sAMAccountName=kristi)”
dn: CN=Kristi Carter,CN=Users,DC=ad,DC=plainjoe,DC=orgaccountExpires: 9223372036854775807badPasswordTime: 0badPwdCount: 0codePage: 0cn: Kristi CartercountryCode: 0displayName: Kristi CartergivenName: JoeinstanceType: 4lastLogoff: 0lastLogon: 0logonCount: 0distinguishedName: CN=Kristi Carter,CN=Users,DC=ad,DC=plainjoe,DC=orgobjectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ad,DC=plainjoe,DC=orgobjectClass: topobjectClass: personobjectClass: organizationalPersonobjectClass: user
$ ldapsearch -H ldap://ad.plainjoe.org -x \> -D [email protected] -w proxy-secret -X \> -b “cn=users,dc=ad,dc=plainjoe,dc=org” -LLL \> “(sAMAccountName=kristi)”
dn: CN=Kristi Carter,CN=Users,DC=ad,DC=plainjoe,DC=orgaccountExpires: 9223372036854775807badPasswordTime: 0badPwdCount: 0codePage: 0cn: Kristi CartercountryCode: 0displayName: Kristi CartergivenName: JoeinstanceType: 4lastLogoff: 0lastLogon: 0logonCount: 0distinguishedName: CN=Kristi Carter,CN=Users,DC=ad,DC=plainjoe,DC=orgobjectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ad,DC=plainjoe,DC=orgobjectClass: topobjectClass: personobjectClass: organizationalPersonobjectClass: user
Metadirectories (cont.)OpenLDAP's Proxy Backend (cont.)
– (cont.)
objectGUID:: NDHKI8oYFkqN8da3Gl9a5Q==objectSid:: AQUAAAAAAAUVAAAAEcNfczJiHypDFwoyUwQAAA==primaryGroupID: 513pwdLastSet: 126784120014273696name: Kristi CartersAMAccountName: kristisAMAccountType: 805306368sn: CarteruserAccountControl: 66048userPrincipalName: [email protected]: 2963uSNCreated: 2957whenChanged: 20021006210839.0ZwhenChanged: 20021006210637.0Z
objectGUID:: NDHKI8oYFkqN8da3Gl9a5Q==objectSid:: AQUAAAAAAAUVAAAAEcNfczJiHypDFwoyUwQAAA==primaryGroupID: 513pwdLastSet: 126784120014273696name: Kristi CartersAMAccountName: kristisAMAccountType: 805306368sn: CarteruserAccountControl: 66048userPrincipalName: [email protected]: 2963uSNCreated: 2957whenChanged: 20021006210839.0ZwhenChanged: 20021006210637.0Z
Metadirectories (cont.)OpenLDAP's Proxy Backend (cont.)
– Now, we issue a similar query to the proxy server, except we look up a uid rather than an Active Directory sAMAccountName:
– From the two results, we see that:
$ ldapsearch -H ldap://ldap.plainjoe.org -x \> -b “ou=windows,dc=plainjoe,dc=org” -LLL “(uid=kristi)”
dn: CN=Kristi Carter,ou=windows,dc=plainjoe,dc=orgobjectClass: topobjectClass: personobjectClass: organizationalPersonobjectClass: accountcn: Kristi Carteruid: kristimail: [email protected]
$ ldapsearch -H ldap://ldap.plainjoe.org -x \> -b “ou=windows,dc=plainjoe,dc=org” -LLL “(uid=kristi)”
dn: CN=Kristi Carter,ou=windows,dc=plainjoe,dc=orgobjectClass: topobjectClass: personobjectClass: organizationalPersonobjectClass: accountcn: Kristi Carteruid: kristimail: [email protected]
objectClass: username: Kristi CartersAMAccountName: kristiuserPrincipalName: [email protected]
objectClass: username: Kristi CartersAMAccountName: kristiuserPrincipalName: [email protected]
mapped to
objectClass: accountcn: Kristi Carteruid: kristimail: [email protected]
objectClass: accountcn: Kristi Carteruid: kristimail: [email protected]
Metadirectories (cont.)OpenLDAP's Proxy Backend (cont.)
– If you remove the directive that filters all the attributes that aren't explicitly mapped (map attribute *), response is slightly different:
– slapd still filters out some attributes bacause queries are still controlled by the local schema in slapd.conf: unknown attributes are filtered out
$ ldapsearch -H ldap://ldap.plainjoe.org -x \> -b “ou=windows,dc=plainjoe,dc=org” -LLL “(uid=kristi)”
dn: CN=Kristi Carter,ou=windows,dc=plainjoe,dc=orgcn: Kristi CarterDisplayName: Kristi Cartermail: [email protected]: KristidistinguishedName: CN=Kristi Carter,ou=windows,dc=plainjoe,dc=orgobjectClass: topobjectClass: personobjectClass: organizationalPersonobjectClass: accountcn: Kristi Carteruid: kristisn: Carter
$ ldapsearch -H ldap://ldap.plainjoe.org -x \> -b “ou=windows,dc=plainjoe,dc=org” -LLL “(uid=kristi)”
dn: CN=Kristi Carter,ou=windows,dc=plainjoe,dc=orgcn: Kristi CarterDisplayName: Kristi Cartermail: [email protected]: KristidistinguishedName: CN=Kristi Carter,ou=windows,dc=plainjoe,dc=orgobjectClass: topobjectClass: personobjectClass: organizationalPersonobjectClass: accountcn: Kristi Carteruid: kristisn: Carter
Table of Contents● Introduction
● Interoperability or Integration
● Directory Gateways
● Cross-Platform Authentication Services
● Distributed, Multi-vendor Directories
● Metadirectories
● Push/Pull Agents for Directory Synchronization
Push/pull Agents for Directory Synchronization
● Common tools for synchronizing information between directories
● Single agent pulls information from one directory service and massages the data to make it acceptable for upload to another directory server
● Several directory vendors provide synchronization agents (drivers, connectors, ...)
● Data is often transferred in an XML-based format
Directory A Directory BDriver
connector transmitting data in common
format
data in directory-specific format
Push/pull Agents for Directory Synchronization (cont.)
● A partial list of commercial connector/driver offerings:
– SunOne's XMLDAP (http://wwws.sun.com/software/products/directory_srvr/)
– Novell's DirXML (http://www.novell.com/products/edirectory/dirxml/)
● Commercial vs. in-house
– Inherent knowledge of when data changes in the directory
– Homegrown tools can be very useful
Push/pull Agents for Directory Synchronization (cont.)
The Directory Services Markup Language
– XML (Extensible Markup Language) fever has infected LDAP
– DSML (Directory Services Markup Language) = XML schema for representing LDAP information using document fragments
– DSML v1.0 is really just an attempt at replacing LDIF
– DSML v2.0 (May 2002): new and interesting functionality● DSML v2.0 is designed to provide methods for representing
LDAP queries, updates, and responses in XML● This allows eg. embedded devices to access LDAP data
without an LDAP client library, only XML parsing & SOAP
– No concrete examples yet
– More info: http://www.oasis-open.org/committees/dsml/